Episode 58
EPISODE SUMMARY
Subscribe or listen now: 
Joseph Carson:
Hello, everyone. Welcome to another episode of 401 Access Denied. It's your biweekly podcast. I'm your host for the episode, Joseph Carson. And I'm joined by my next co-host, which is Chloé. Chloé, can you tell us about yourself?
Chloé Messdaghi:
Hi, everyone. My name is Chloé Messdaghi and I'm the Chief Impact Officer over at Cybrary.
Joseph Carson:
Awesome.
Chloé Messdaghi:
And I get to be this awesome person's podcast person.
Joseph Carson:
It's always great to have another great person on the episode. That can really add a lot of value. We're also joined by another amazing guest today, Bob Burns. Can you tell us about yourself and what you do?
Robert Burns:
Thanks, Joe and Chloé. I appreciate the opportunity. I'm the chief security officer for a division of Thales called Thales Cloud Protection and Licensing. And I basically am in charge of our security teams across all of our products and cloud offerings. I've been in cyber security before it was called cyber security. Started as a software engineer a long time ago. I won't talk about how long go it was.
Robert Burns:
But I ended up progressing and building my career around building crypto, building secure software, figuring out how to do that as a discipline on my own, and then building teams around that. And then, eventually into the position I am now, where I'm managing three different teams across multiple disciplines to try to improve and make sure our products are secure, and keeping our customers as risk-free as possible.
Joseph Carson:
Awesome. One of the things that I was interested in. The types of roles that you're doing and having teams and different ideas. How to make sure that it's meeting the business needs. How do you go about it? What's your priorities that you have? How do you go through the risk and prioritize what's the most important for you?
Robert Burns:
That is a great question. That's something I wrestle with a lot. I think one of my north stars of the things that I tell my teams is that, while we care about the business, we obviously need to keep the lights on, and we do everything that we need to do to make the product secure ... At the end of the day, our primary objective is to really look after the customer risk. Our customers are buying our products and using our services because they have a risk. And if we don't do our jobs, they get impacted.
Robert Burns:
Yes, there's always a business impact on our side. But at the end of the day, we are really trying to make sure that the customer risk is being managed. And that we're meeting the promises that we make our customers with respect to the security controls that we're giving them. That's really the primary principle. Then, we fold off of that, depending on the services. Whether it's cloud services. Or whether it be building hardware encryption products. Or whether we're building communication products.
Robert Burns:
It all manifests slightly differently, and it comes down that way. I have different teams. One, is I look after product security. Security engineering and architecture. They take a very left of the engineering, SDL side. They worry about whether you're building this thing correctly. I also have the cloud security team, where they're worried about not only building correctly, but also deploying it and operating it securely.
Robert Burns:
And then, we have a whole certification and compliance angle as well, where the markets won't accept our product unless we get some third-party validation and go through that formal process. That actually is a big circle, because it all feeds in. You can't get something certified or complied if you're not building it the right way to begin with. It's kind of a neat circle for my teams.
Joseph Carson:
A lot of responsibility. And a lot of complexity science as well.
Robert Burns:
Yes.
Joseph Carson:
Going forward, how would you build a strategy around that? How do you make sure that your plans for the vision for the year and even forward multiple years ... How do you do even future proofing or thinking about the future of cybersecurity for the business?
Robert Burns:
That's something I've been thinking about a lot this week. The epiphanies I've had over the past couple days. We've gone through the pandemic. The teams instantly went home and worked from their separate quarters. We were all very technical. We focused on the technical problems. We got down to the business of, "How do we do remote work? How do we do this securely? How do we do it in an efficient way? How do we stay productive?"
Robert Burns:
We went through that and we've been living that for two years. I've come out here, and I've found that I've gravitated towards topics that are more about the human condition. Focusing less on the technical. I don't know if it's subliminal, but for some reason, the different chats and things that I've marked on my calendar and I've gone and attended and got the most out of is really around focusing on that.
Robert Burns:
Some of the conversations I've been having out here, reconnecting with people, connecting with new people, having conversations that I've had with my dog under my desk ... She doesn't react exactly the same way that you guys do. That's really opened my eyes. For my strategy going forward, one of the things that I want to focus on is the human-centric aspect of security in multiple dimensions.
Robert Burns:
One, is for my team. I want to make sure that, while we still continue to work remote and hybrid, that we have supportive systems. From both a professional development standpoint, as well as a technology development standpoint. But more importantly, it's all of the teams that we interface with. Because while I have great teams, we're a very small portion of the entire picture.
Robert Burns:
We have to influence teams. We have over 600 engineers that we have to work with. Both in the cloud and the product space. We're a team of 25, so we've got to be able to influence them. You can't just make policies. You can't just put roadblocks in front of them. We've got to work really strongly. Well, we've had good luck doing that in the past, but the pandemic has brought many more barriers to that transition.
Chloé Messdaghi:
What have you learned basically from the pandemic? Has your leadership style changed at all when it comes to your security strategy across your teams?
Robert Burns:
I think it has. Well, it definitely has changed how I manage my teams. That's for sure. Being remote and not being able to travel, not being able to face-to-fave, you have to change some tactics. You have to be in communication a bit more, and you have to be a bit more transparent through other channels. Things that would normally happen organically, you have to force them to happen from that perspective.
Robert Burns:
From a technical strategy standpoint, there really hasn't been any huge epiphanies that came from the pandemic per se, but we still have a lot of challenges around our customer risk. Because our customers are now a lot more remote. They want a lot more access control from places in homes or on phones or wherever their employees may be. That was not the traditional model that we served before from our technology, so we have to rethink.
Robert Burns:
When we go to the teams and we talk about some of the security controls that they need to put in place, from an engineering standpoint, we have to take that into account and say, "Look, your user base has changed." This is no longer people sitting in an enterprise office, putting a smart card in a laptop. They're actually in an airport. Or they're in their barn, where their internet connection is better. Wherever they may be.
Joseph Carson:
Pretty much an organization's network has become the internet.
Robert Burns:
Exactly.
Joseph Carson:
It used to be these closed networks.
Robert Burns:
Exactly.
Joseph Carson:
Where now, you're actually operating in the public internet. And it means that you have to think a lot differently to do security very much for an organization.
Robert Burns:
Certainly, where it changes is our threat model. A lot of what we do, we base it off of a risk-based threat model approach of how we look at where the products are used. Taking that and modifying the threat model. And then, bringing those conversations to the engineering teams to say, "Hey. We need to reconsider this." Things we might have thought were lower risk before become a higher priority, so we have to bunk them up.
Robert Burns:
That's going to have a knock-on effect to the things that we do. Whether we're applying tools earlier on in the life cycle, or tools when we deploy into the cloud. That's where we'll get some tactical changes. But from a strategic standpoint, it's really about re-looking at our threat models, what our customers are doing, how the world is different now. How we go about trying to, again, lower the risk for our customers and the people we care about.
Joseph Carson:
Absolutely. Being here at both BSides and RSA ... Is there any specific talks or topics that you really were compelled or really give you something exciting to think about? So that can actually take back with you and maybe start putting into practice. Is there any specific areas that you find that was very interesting?
Robert Burns:
Yes. I think across both. As I mentioned earlier, I was very surprised. I subliminally picked things, and I leaned towards the human stuff. There were a number of really good talks, in fact, around building security programs and around the human condition. Unfortunately, my memory's bad. There was a great one this morning that was here at RSA. That was around the psychology of how humans interact with the world, how they have the lizard brain, and the cognitive brain. That was really excellent.
Robert Burns:
It really got you to think about how the people that you're trying to interact with have different reactions. Also, good programs on building a security program. How you build out a security champions program. About how you increase your sphere of influence into the engineering organizations, to be able to find those advocates who are willing to be a satellite part of your team and make the whole organization stronger. There's been a couple of really good ones on that, that were fantastic. The same at BSides. BSides had some really good talks around the human element, which I gravitated towards.
Chloé Messdaghi:
I just applaud that there's so many more conversations about that human element part. Because I feel like we keep talking about, "Before the pandemic." And then, when the pandemic hits, everyone's like, "I don't understand why Bob isn't doing work." Not you, Bob. But, "I don't understand why Bob isn't doing any work."
Robert Burns:
Do you know me? Do you know me? Oh my goodness.
Chloé Messdaghi:
And then, the next thing you know, it's like ... People are going through a lot of stuff. We're still having that life-changing moment as well. What has been the main takeaway so far from RSA Conference when it comes to that human element problem on security teams?
Robert Burns:
For me, coming from an engineering background, I always have gravitated more towards the technical. That's my solution. When I see a hole, I think about, "How can I fill that? How can I make a tool better? How can I get a different tool? How can I put a pipeline together to solve that problem?" And that's always driven a lot of what we've done as teams as well, is that we've put together the right tools. I think it was Netflix who coined the term, "Paved roads and guardrails," back in 2017.
Robert Burns:
We've been following that paradigm. Because we're a small team, we want to have a bigger impact. What I think I've gotten out of this is that we can't always just fill holes with tools. You can't just give them to a team and assume that they're going to do it. That was one of the things a talk earlier talked about. Around the notion that the engineers are going to react with their lizard brain.
Robert Burns:
When you just tell them, "Here's a big risk. You've got to do this," they want to take the quickest path and they don't want to necessarily see that as a risk. And so, they ignore it. You've got to appeal to their cognitive side. You've got to put it into a frame where they can actually adopt it and realize that, intellectually, this is the right thing to do. Actually, make it less painful for them, so they don't see it as a risk for them or their work. Help them do that. I think I'm going to focus a lot more this year on figuring out strategies to do that.
Joseph Carson:
That's awesome. For me, as well. A few years ago, one of the main themes at RSA was also the human element. For me, organizations really need to invest in the people side. Because it's too often we invest a lot in tools. And then, they hope that people can actually figure out how to make it work. But you need to have the balance.
Joseph Carson:
You need to make sure that the people are well-skilled, well-trained, and they know how to use it properly. Because if they don't, you end up with misconfigurations. Poorly implementations with tools that could solve problems, but end up basically resulting in cyber attacks or some type of incident. I definitely think that the people side is so much important.
Joseph Carson:
Also, I really enjoyed ... You mentioned the Netflix a few years ago, because they also were at the session as well. But I also remember the one at BSides as well. I find it very compelling as well. I've heard similar uses before, but how it was put together and the story. Really thinking about people's stress and how to make sure, how to facilitate, how to give them the time, and how to take it through. We're all working together. We all have the same journey. Let's make sure all of us get through that, and meet at the end successfully.
Joseph Carson:
Because absolutely, security is not a very ... It's not a thankful industry. We always have to remember, at some points in time, you have to stop and enjoy the wins. You have to stop and enjoy and have fun. Because if you don't, it becomes almost a thankless job. You never win. You have to think about, "What does winning mean?" In security, as well. I think we have to redefine that, because how we measure those wins today is not how we should be measuring them.
Robert Burns:
That actually brings to mind an interesting comic from Cyanide. It's been going around InfoSec for the past couple of years, where you have a panel with two little guys with two little smoldering fires. And the next panel is one guy puts out the fire. The other guy's just looking at his, and he lets his get really big. And then, he goes, "Hey, everybody. There's a fire over here."
Robert Burns:
And then, he puts it out, and they put him on his shoulders and carry him away. The guy who put out the fire to start with is just sitting there, not getting celebrated. For not doing the right thing. I frequently go back to that when I talk to my teams. I say, "Look. You're getting the wins. We got to celebrate these little wins." Even if we can't point to an active attack and say, "We stopped that." We've got to say, "Hey. That was a really good framework." Or, "That really made it easy to deploy."
Robert Burns:
We make GitLab templates where they can just pull in things on their CI/CD line for doing secure static analysis or secure code scanning or various other things. Antivirus, pre-deployment. We've rolled those out, and we don't get kudos or slaps on the back, but we know it's being used. We know it's really getting a lot of traction. It makes it easier for them as a paved road to just adopt that capability.
Joseph Carson:
Absolutely. Somebody reminded me that our job industry, if you were to compare it to something else, it's almost like the garbage collectors. It just gets done, but it's not something you go and thank the person for taking away the rubbish. You're making the community cleaner and safer. It's such an important role, but you tend to not see it happening. It's not always out there front and center. Any thoughts that you have, Chloé?
Chloé Messdaghi:
I just think our whole industry has always been like, "We've got to put out the fire." We're not doing preventative work as much, because that's just how it's been. It's always like, "Well, we have to deal with the situation." Well, we don't have enough people.
Chloé Messdaghi:
We don't have enough hours in the day to really plan things out, have that incident response plan up to date. And then, it's always like, "Well, we got to put out another fire." It just feels like when we start getting more proactive, I think that's when we're going to start being more mentally healthy in our industry.
Joseph Carson:
Absolutely. We were talking about that earlier this week, where we were talking about being proactive. How do you make sure that you're having the balance between where you're firefighting and also the balance between actually doing something that helps reduce the fires in the future? That has a long-term strategy. That has a long-term vision. How do you make sure you're having that proper balance?
Joseph Carson:
Because it is difficult to make sure that you are actually ... Whether it being automation. Or whether it being team-building and teamwork to really make sure you've got a good strategy vision. It's fantastic, Bob, having you here. You're really insightful. For me, you've got me excited about something I can take away as well. Any final things for the audience? If there was one thing you would like them to take away, what would it be?
Robert Burns:
For me ... Obviously, I think this really comes out of our recent experience with the pandemic. The thing I've learned, and the thing in retrospect that I've gone back and looked at, is that there does need to be a human connection somehow. Obviously, within safety protocols and as you feel comfortable. I don't want to get into the politics of, "Back to the office."
Robert Burns:
Going back to your point about the things that need to be done to make the team supported. I realized that, because we were in offices, it was happening organically. We had those relationships with the dev teams, because we could sit in front of a whiteboard and we can have the discussions. Or they could come into our cubes and say, "Hey. What about this thing?"
Robert Burns:
I think we've lost some of that. Or at least I know my team has lost some of that. We've had to work harder. That's why I'm thinking about this human element. Now, the new world is not back to the office. We're not going to be back to the office. The thought that we can get that organic back naturally is just not going to happen. Now, we have to work at that. We have to go a little bit further. Figure out our, as you said, strategy.
Robert Burns:
I need to focus, and I need to help my teams focus a little more on being able to develop training materials. Or being able to do this stuff asynchronously, without being able to walk into someone's cube or sit in front of a whiteboard. We've got to find other ways to do it. That's going to be my big mission this year is to work on that.
Joseph Carson:
Absolutely. When you realize that you have to work so much harder now to really build it back in that new environment. It's been awesome having you here. Many thanks for joining us on the episode.
Robert Burns:
Thank you for having me, both of you.
Joseph Carson:
Chloé, it's great having you with me. I'm really excited about more episodes in the future.
Chloé Messdaghi:
Got so many coming.
Joseph Carson:
We do indeed. For everyone, again, this is 401 Access Denied. I'm Joe Carson. Joined with Chloé and Bob. We hope that you tune in every two weeks. Stay safe, take care, and see you soon. Thank you.
Robert Burns:
Thank you.
